Tool Developer: Corey Neskey | cneskey@protonmail.com | github.com/cneskey | linkedin.com/in/cneskey | twitter.com/cneskey | cneskey.github.io/unsur
| Included | Excluded | Included | Excluded | Included | Excluded | Included | Excluded | Included | Excluded |
|---|---|---|---|---|---|---|---|---|---|
| Non Public Information (NPI) | Other | Other devices on Oak-Net | DerpCorp AD Systems | privileged insiders (DerpCorp & Vendors) | non-privileged insiders (DerpCorp & Vendors) | deliberately | Mechanical | confidentiality | integrity |
| ServerGaugeReport Server on Oak-Net | DerpCorp SMTP Systems | malicious software | Process Failure | availability | |||||
| ServerGaugeIndex Server on Oak-Net | DerpCorp Networking and FW Systems | external attackers | Natural | ||||||
| Database instance on ServerGaugeIndex | DerpCorp Vulnerability Scanner Systems | accidentally | |||||||
| DerpCorp sysadmin jump stations on Oak-Net | DerpCorp Vendor Access | ||||||||
| Monitored servers on Maple-Net | DerpCorp Replicated DR Equivalent Systems | ||||||||
| Monitored servers on Birch-Net | DerpCorp Backup Systems | ||||||||
| DerpCorp DFS Systems | |||||||||
| DerpCorp Endpoint Security Management Server | |||||||||
| DerpCorp Endpoint Management Server | |||||||||
| DerpCorp Hypervisor Server |
Areas were excluded as was considered reasonable and appropriate with the resources provided and time constraints set but do make up the larger system of supporting technologies. The subnet chosen for most components is Derp Corp’s subnet called “Oak-Net”.
Plan A Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $394,763 | $789,526 | $1,184,288 |
| Costs | $53,628 | $56,548 | $59,468 |
| Loss | $440,562 | $881,123 | $1,321,685 |
| Mitigation Costs | $0 | $0 | $0 |
| Prevented Loss | $0 | $0 | $0 |
| Net | -$99,427 | -$539,989 | -$980,551 |
Plan B Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $394,763 | $789,526 | $1,184,288 |
| Costs | $53,628 | $56,548 | $59,468 |
| Loss | $197,853 | $395,705 | $593,558 |
| Mitigation Costs | $4,717 | $4,717 | $4,717 |
| Prevented Loss | $242,709 | $485,418 | $728,127 |
| Net | $381,274 | $426,131 | -$257,140 |
Plan C Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $394,763 | $789,526 | $1,184,288 |
| Costs | $53,628 | $56,548 | $59,468 |
| Loss | $170,669 | $341,339 | $512,008 |
| Mitigation Costs | $49,813 | $49,813 | $49,813 |
| Prevented Loss | $269,892 | $539,784 | $809,677 |
| Net | $390,545 | $489,767 | -$302,236 |
Given the net value after factoring in known initial and recurring costs of this project as well as the project’s known benefits, potential losses due to risks, and control mitigation costs, Derp Corp can expect to spend more resourcs on security controls to operate the ServGauge solution than gain equivalent value over at least the fist 3 years.
| Benefit UID | Benefit Event | Benefits Probability | Benefits Lower Bound | Benefits Most Likely | Benefits Upper Bound | Benefits Rationale | Benefits Recurring_Ben |
|---|---|---|---|---|---|---|---|
| benefit-1 | System performance monitoring and alerting to prevent outages where possible and reduce outage duration. | 90% | $63,477 | $182,292 | $1,718,750 | LowEnd = .5 hrs of outages for 2k employees making 75k+30%bens, MostLikely = 1 hrs of outages 1.5k emps making 100k+30%bens, HighEnd = 4 hrs outages 3k emps making 300k+30%bens, | TRUE |
| benefit-2 | Remote command execution via performance agent. | 50% | $30 | $2,000 | $200,000 | Assumes Upper Bound is cost of one FTE. Not part of original use-case but may be used. | TRUE |
The benefits of this project take the form of prevented outages and reduction of outage events. The value is estimated based on the wages of personnel who would be unable to work due to an outage that this solution would prevent but who would still be paid according to their normal work hours. A potential benefit also factored in is prospective use of the solution’s alternative functionality of remote system control. This has the potential to save systems administrators time though it is uncertain so is given a probability of providing value of 50% per year.
| Known Costs UID | Known Cost Event | Known Costs Lower Bound | Known Costs Most Likely | Known Costs Upper Bound | Known Costs Rationale | Known Costs Recurring Expense |
|---|---|---|---|---|---|---|
| cost-1 | Product (ServerGauge) direct purchase costs | $19,790 | $19,790 | $19,790 | Actual Contract | FALSE |
| cost-2 | Product (ServerGauge) support and pro services | $0 | $0 | $0 | No Pro Services | FALSE |
| cost-3 | Internal setup and testing | $1,500 | $24,000 | $72,000 | Wage-based - Sys Engineer x 2 - 1-12 week, ML 4 weeks | FALSE |
| cost-4 | Internal initial security review | $1,500 | $2,800 | $5,600 | Wage-based - Security Analyst x 1 | FALSE |
| cost-5 | Ongoing maintenance and systems administration | $1,500 | $3,000 | $4,000 | Wage-based - Sys Engineer x 1 - 1 to 8 weeks ML 2 | TRUE |
Costs include product purchase costs based on the quote provided by the vendor as well as the system administrator wage plus benefits times the estimated hours required to test and implement the product. The same wage and benefit calculation is used for ongoing systems administration maintenance of the product and review by security analysts.
| UID | Assets at risk | Containers/Points of attack | Threat communities | Threat Types | Effects | Scenario |
|---|---|---|---|---|---|---|
| Risk-1 | Non Public Information (NPI) | Other devices on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Other devices on Oak-Net. |
| Risk-2 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-3 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-4 | Non Public Information (NPI) | Database instance on ServerGaugeIndex | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Database instance on ServerGaugeIndex. |
| Risk-5 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-6 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-7 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-8 | Non Public Information (NPI) | Other devices on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Other devices on Oak-Net. |
| Risk-9 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-10 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-11 | Non Public Information (NPI) | Database instance on ServerGaugeIndex | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Database instance on ServerGaugeIndex. |
| Risk-12 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-13 | Non Public Information (NPI) | Monitored servers on Maple-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-14 | Non Public Information (NPI) | Monitored servers on Birch-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-15 | Non Public Information (NPI) | Other devices on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Other devices on Oak-Net. |
| Risk-16 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-17 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-18 | Non Public Information (NPI) | Database instance on ServerGaugeIndex | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Database instance on ServerGaugeIndex. |
| Risk-19 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-20 | Non Public Information (NPI) | Monitored servers on Maple-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-21 | Non Public Information (NPI) | Monitored servers on Birch-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-22 | Non Public Information (NPI) | Other devices on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Other devices on Oak-Net. |
| Risk-23 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-24 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-25 | Non Public Information (NPI) | Database instance on ServerGaugeIndex | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Database instance on ServerGaugeIndex. |
| Risk-26 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-27 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-28 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-29 | Non Public Information (NPI) | Other devices on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Other devices on Oak-Net. |
| Risk-30 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-31 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-32 | Non Public Information (NPI) | Database instance on ServerGaugeIndex | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Database instance on ServerGaugeIndex. |
| Risk-33 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-34 | Non Public Information (NPI) | Monitored servers on Maple-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-35 | Non Public Information (NPI) | Monitored servers on Birch-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-36 | Non Public Information (NPI) | Other devices on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Other devices on Oak-Net. |
| Risk-37 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-38 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-39 | Non Public Information (NPI) | Database instance on ServerGaugeIndex | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Database instance on ServerGaugeIndex. |
| Risk-40 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-41 | Non Public Information (NPI) | Monitored servers on Maple-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-42 | Non Public Information (NPI) | Monitored servers on Birch-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
42 loss scenarios were independantly considered given Plan A, B, and C controls.
| …1 | min | avg | 75th ptile | max | Rng |
|---|---|---|---|---|---|
| Plan A Loss Event Frequency (LEF) Lower Bound | $0 | $0 | $0 | $0 | $0 |
| Plan A Loss Event Frequency (LEF) Most Likely | $0 | $0 | $0 | $0 | $0 |
| Plan A Loss Event Frequency (LEF) Upper Bound | $0 | $0 | $0 | $0 | $0 |
| Plan A Loss Magnitude (LM) Lower Bound | $5,000 | $5,000 | $5,000 | $5,000 | $5,000 |
| Plan A Loss Magnitude (LM) Most Likely | $200,000 | $200,000 | $200,000 | $200,000 | $200,000 |
| Plan A Loss Magnitude (LM) Upper Bound | $10,000,000 | $10,000,000 | $10,000,000 | $10,000,000 | $10,000,000 |
| Plan B Initial Control Cost Lower Bound | $200 | $200 | $200 | $200 | $200 |
| Plan B Initial Control Cost Most Likely | $500 | $500 | $500 | $500 | $500 |
| Plan B Initial Control Cost Upper Bound | $3,000 | $3,000 | $3,000 | $3,000 | $3,000 |
| Plan B Recurring Control Cost Lower Bound | $0 | $0 | $0 | $0 | $0 |
| Plan B Recurring Control Cost Most Likely | $0 | $0 | $0 | $0 | $0 |
| Plan B Recurring Control Cost Upper Bound | $0 | $0 | $0 | $0 | $0 |
| Plan B Loss Event Frequency (LEF) Lower Bound | $0 | $0 | $0 | $0 | $0 |
| Plan B Loss Event Frequency (LEF) Most Likely | $0 | $0 | $0 | $0 | $0 |
| Plan B Loss Event Frequency (LEF) Upper Bound | $0 | $0 | $0 | $0 | $0 |
| Plan B Loss Magnitude (LM) Lower Bound | $5,000 | $5,000 | $5,000 | $5,000 | $5,000 |
| Plan B Loss Magnitude (LM) Most Likely | $200,000 | $200,000 | $200,000 | $200,000 | $200,000 |
| Plan B Loss Magnitude (LM) Upper Bound | $10,000,000 | $10,000,000 | $10,000,000 | $10,000,000 | $10,000,000 |
| Plan C Initial Control Cost Lower Bound | $3,000 | $3,000 | $3,000 | $3,000 | $3,000 |
| Plan C Initial Control Cost Most Likely | $10,000 | $10,000 | $10,000 | $10,000 | $10,000 |
| Plan C Initial Control Cost Upper Bound | $50,000 | $50,000 | $50,000 | $50,000 | $50,000 |
| Plan C Recurring Control Cost Lower Bound | $0 | $0 | $0 | $0 | $0 |
| Plan C Recurring Control Cost Most Likely | $0 | $0 | $0 | $0 | $0 |
| Plan C Recurring Control Cost Upper Bound | $0 | $0 | $0 | $0 | $0 |
| Plan C Loss Event Frequency (LEF) Lower Bound | $0 | $0 | $0 | $0 | $0 |
| Plan C Loss Event Frequency (LEF) Most Likely | $0 | $0 | $0 | $0 | $0 |
| Plan C Loss Event Frequency (LEF) Upper Bound | $0 | $0 | $0 | $0 | $0 |
| Plan C Loss Magnitude (LM) Lower Bound | $5,000 | $5,000 | $5,000 | $5,000 | $5,000 |
| Plan C Loss Magnitude (LM) Most Likely | $200,000 | $200,000 | $200,000 | $200,000 | $200,000 |
| Plan C Loss Magnitude (LM) Upper Bound | $10,000,000 | $10,000,000 | $10,000,000 | $10,000,000 | $10,000,000 |
| Benefits Lower Bound | $30 | $30 | $30 | $30 | $30 |
| Benefits Most Likely | $2,000 | $2,000 | $2,000 | $2,000 | $2,000 |
| Benefits Upper Bound | $200,000 | $200,000 | $200,000 | $200,000 | $200,000 |
| Known Costs Lower Bound | $0 | $0 | $0 | $0 | $0 |
| Known Costs Most Likely | $0 | $0 | $0 | $0 | $0 |
| Known Costs Upper Bound | $0 | $0 | $0 | $0 | $0 |
The ECDF herp derp
The Density herp derp
The Violin herp derp
The Swarm herp derp
The Box herp derp
The Ridge herp derp